Weekly Metasploit Update: Back to Work!

Last updated at Thu, 11 Jan 2024 19:40:03 GMT

Hey, it's the first post-Metasploit 4.3.0 update, which means that I'm back in the blogging business. Huzzah!

We've all been heads-down for a while getting this bad boy out the door, so while there's not a ton of new functionality to talk about this week, we do have some neat new modules, and one API change for module developers.

Wake On LAN

"The most secure computer is the one that's not turned on," is an old computer security adage, speaking to the complexity of modern operating systems and applications. Unfortunately, this is no longer true, thanks to Wei "sinn3r" Chen's new Wake-on-LAN module.

Wake-On-LAN is a feature of some NICs that allow system administrators to remotely power on computers in the local broadcast domain. For many sites, this is equivalent to the LAN, so you can power on a machine from across the room or down the hall. Now that you can accomplish this same task from within Metasploit, it can be kind of spooky and funny.

Now, imagine walking into a site that went all bridge-network crazy, for example to forward DHCP requests. In such an environment, you'll now be able to power on machines that the client didn't realize was reachable -- say, across VLANS. That can make for a powerful demonstration of why bridging networks might not be such a good idea.

Smarter Print_* Methods

During and since the 4.3.0 release, we've been trying to nail down what a standard print statement ought to look like in the context of a Metasploit module. To that end, James "egyp7" Lee has refreshed all the print_* methods for HTTP browser modules to automatically prepend messages with a sensible client IP address. What this means is, if you're in the business of writing browser exploits, you would no longer write something like:

  print_status("#{self.name} Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}...")

You should instead simply write:

  print_status "Sending Applet.jar"

This will result in the console messages:

  [*] 10.20.30.40    java_rmi_connection_impl - Sending Applet.jar   [*] 1.1.1.5        vlc_mms_bof - Sending malicious page

This is nice because if you're running several browser exploits and have several potential targets, it's much easier to tell who's actually getting your exploits. Clients behind NATs are still difficult to distinguish in a human-readable way, but if you have good ideas on how to solve that problem, feel free to submit patches. (: Over the next few updates, all Metasploit print_* methods should end up with some sensible defaults for communication like this, which should make life easier for both module developers and users alike.

Other New Modules

Finally, sinn3r and friends have been busy knocking out new exploits for this week's update.

• webcalendar_settings_exec.rb by sinn3r exploits CVE-2012-1495 in WebCalendar from k5n.us
• mcafee_mvt_exec.rb by sinn3r exploits an unreported vulnerability in McAfee MVTControl
• vlc_mms_bof.rb by sinn3r and Juan Vazquez exploits CVE-2012-1775 in VLC Media Player
• ms12_027_mscomctl_bof.rb by sinn3r and Juan Vazquez exploits MS12-027 in Microsoft Office 2007 and 2010
• shadow_stream_recorder_bof.rb by b0telh0 exploits BID-34864 in Shadow Stream Recorder
• execute.rb is a post module by HD Moore which runs an arbitrary command over a shell or Meterpreter session

Availability

If you're new to Metaspoit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see the most excellent release notes.